the economics of information security a survey and open questions l.
Skip this Video
Loading SlideShow in 5 Seconds..
The Economics of Information Security: A Survey and Open Questions PowerPoint Presentation
Download Presentation
The Economics of Information Security: A Survey and Open Questions

Loading in 2 Seconds...

play fullscreen
1 / 21

The Economics of Information Security: A Survey and Open Questions - PowerPoint PPT Presentation

  • Uploaded on

The Economics of Information Security: A Survey and Open Questions Ross Anderson, Tyler Moore Cambridge University Economics and Security The link between economics and security atrophied after WW2

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'The Economics of Information Security: A Survey and Open Questions' - bernad

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the economics of information security a survey and open questions

The Economics of Information Security: A Survey and Open Questions

Ross Anderson, Tyler Moore

Cambridge University

economics and security
Economics and Security
  • The link between economics and security atrophied after WW2
  • Since 2000, information security economics has become a hot topic, with 100 researchers and now two annual workshops (WEIS, WESII)
  • Economic analysis often explains failure better then technical analysis!
  • Infosec mechanisms are used increasingly to support business models (DRM, lock-in, …)
  • Research is now spilling over to dependability, conventional security, trust and risk
traditional view of infosec
Traditional View of Infosec
  • People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering
  • So engineers worked on providing better, cheaper security features – AES, PKI, firewalls …
  • About 1999, we started to realize that this is not enough
incentives and infosec
Incentives and Infosec
  • Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors
  • Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others
  • Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy
  • Why is Microsoft software so insecure, despite market dominance?
new view of infosec
New View of Infosec
  • Systems are often insecure because the people who could fix them have no incentive to
  • Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; Amazon’s website suffers when infected PCs attack it
  • People connecting an insecure PC to the net don’t pay full costs, so we under-invest in antivirus software (Varian)
  • The move of businesses online led to massive liability dumping (Bohm et al)
new uses of infosec
New Uses of Infosec
  • Xerox started using authentication in ink cartridges to tie them to the printer (1996)
  • Followed by HP, Lexmark … and Lexmark’s case against SCC
  • Motorola started authenticating mobile phone batteries to the phone in 1998
  • The use of security technology to manipulate switching costs and tie products is now widespread
  • Vista will make compatibility control easier for software writers
platform security lifecycle
Platform Security Lifecycle
  • High fixed/low marginal costs, network effects and switching costs all tend to lead to dominant-firm markets with big first-mover advantage
  • Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ was quite rational
  • When building a network monopoly, woo complementers by skimping on security, and choosing technology like SSL that dumps the compliance costs on the user
  • Once you’re established, lock everything down
other investment effects
Other Investment Effects
  • Security may depend on best effort (security architect), weakest-link (careless programmer) or sum-of-efforts (testing)
  • Analysis (Akerlof, Varian) suggests firms should hire more testers, and fewer but better programmers (this is happening!)
  • Security products can be strategic complements (and tend to be a lemons market anyway)
  • Security product adoption a hard problem unless you provide early adopters with local benefits
  • So very many products fail to get adopted
security and liability
Security and Liability
  • Why did digital signatures not take off?
  • Industry thought: legal uncertainty. So EU passed electronic signature law
  • But customers and merchants resist transfer of liability by bankers for disputed transactions
  • Best to stick with credit cards, as that way fraud is still largely the bank’s problem
  • Similar resistance to phone-based payment – people prefer prepayment plans because of uncertainty
privacy economics
Privacy Economics
  • Gap between stated and revealed preferences!
  • Odlyzko – technology makes price discrimination both easier and more attractive
  • Varian – interests of consumers and firms not in conflict but information markets fail because of externalities and search costs. Educated consumers opt out more
  • Acquisti et al – people care about privacy when buying clothes, but not cameras (some items relate to your image, so are privacy sensitive)
  • Externalities cut both ways, though – to be anonymous, you need to be in a crowd
open versus closed
Open versus Closed?
  • Are open-source systems more dependable? It’s easier for the attackers to find vulnerabilities, but also easier for the defenders to find and fix them
  • Theory: openness helps both equally if bugs are random in standard dependability model
  • So maybe we should keep systems closed (Rescorla) – but this is an empirical question
  • So get the statistics: bugs are correlated in a number of real systems (‘Milk or Wine?’)
  • Trade-off: the gains from this, versus the risks to systems whose owners don’t patch
vulnerability markets
Vulnerability Markets
  • Security isn’t just a lemons market – even the vendor often doesn’t know the quality of his software
  • Insurance can be problematic because of inter-firm failure correlation
  • Camp and Wolfram (2000), Schechter (2002): try vulnerability markets
  • Two traders now exist (but prices secret)
  • Alternatives - software quality derivatives (Böhme), bug auctions (Ozment)
how much to spend
How Much to Spend?
  • How much should firms spend on information security?
  • Governments, vendors say: much much more than at present (But they’ve been saying this for 20 years!)
  • Measurements of security return-on-investment suggest current expenditure may be about right
  • But SMEs spend too little, big firms too much, and governments way too much
  • Adams: it’s the selection of the risk managers
games on networks
Games on Networks
  • The topology of a network can be important!
  • Barabási and Albert showed that a scale-free network could be attacked efficiently by targeting its high-order nodes
  • Think: rulers target Saxon landlords / Ukrainian kulaks / Tutsi schoolteachers /…
  • Can we use evolutionary game theory ideas to figure out how networks evolve?
  • Idea: run many simulations between different attack / defence strategies
games on networks 2
Games on Networks (2)

Vertex-order attacks with:

  • Black – normal (scale-free) node replenishment
  • Green – defenders replace high-order nodes with rings
  • Cyan – they use cliques (c.f. system biology …)
the price of anarchy
The price of anarchy
  • Some technical cases soluble, e.g. routing with linear costs, 4/3 (Roughgarden et al)
  • Big CS interest in combinatorial auctions for routing (Papadimitiou et al)
  • Big practical problem: spam (and phishing)
  • Proposed techie solutions (e.g. puzzles) put the incentive in the wrong place
  • Peer-to-peer systems: clubs?
vista and competition
Vista and Competition
  • A live EU concern – workshop on Monday
  • IRM – Information Rights Management – changes ownership of a file from the machine owner to the file creator
  • Files are encrypted and associated with rights management information
  • Switching from Office to OpenOffice in 2010 might involve getting permission from all your correspondents
  • Other cases of lock-in harming innovation
vista and competition 2
Vista and Competition (2)
  • How should we think of DRM? The music industry wanted it while the computer industry hated it. This is flipping. Microsoft embraced DRM and the music industry’s now wavering
  • Varian, 2005: what happens when you connect a concentrated industry to a diffuse one?
  • Answer, 2006 – Apple runs away with the money
  • Answer, 2007 – Microsoft appears to be making a play to control high-definition content distribution (Gutmann)
large project failure
Large Project Failure
  • Maybe 30% of large projects fail
  • But we build much bigger failures nowadays than 30 years ago so…
  • Why do more public-sector projects fail?
  • Consider what the incentives are on project managers versus ministers – and what sort of people will become successful project managers versus ministers!
the information society
The Information Society
  • More and more goods contain software
  • More and more industries are starting to become like the software industry
  • The good: flexibility, rapid response
  • The bad: frustration, poor service
  • The ugly: monopolies
  • The world will be full of ‘things that think’ (and that exhibit strategic behaviour)
  • How will society evolve to cope?
More …
  • Economics and Security Resource Page – (or follow link from
  • WEIS – Annual Workshop on Economics and Information Security – next at CMU, June 7–8 2006